I'm planning to use ChaCha20 just as a CSPRNG. Key is random (taken from strong initial entropy source) and will be constantly replaced via DJB's fast key-erasure scheme. What should I use as the nonce? Does it matter? Is it safe to just use zero?

$\begingroup$I'm using the original DJB spec for ChaCha that has 64-bit counter and nonce, rather than the IETF's broken version with 32-bit counter and 96-bit nonce, but in any case the counter is unlikely to ever exceed 2 or 3 due to re-keying.$\endgroup$
– R.. GitHub STOP HELPING ICEMar 25 at 22:51

$\begingroup$@VivekanandV: 32-bit block counters are largely considered to be a bug/mistake because they compromise security properties if more than 4G blocks are encrypted. DJB intentionally made the counter 64-bit for that reason, and then the IETF spec changed it for inexplicable reasons.$\endgroup$
– R.. GitHub STOP HELPING ICEMar 26 at 16:42